This document describes the steps required to install squid proxy server from http://squid-cache.org and webmin from http://webmin.com on a debian 4.0 system as well as basic steps required to configure squid to listen on multiple ip addresses and use them as outgoing source address for connections. This will also show you how to configure squid from webmin to accept connections only from predefined clients based on the client's ip address.

For the steps presented below root access over ssh on the server or physical ( console ) access will be required.

Squid installation

Installing squid on a debian system is straight forward. The administrator must be logged in as root and just type: apt-get install squid. This will install squid along with all required dependencies (it may ask for the user permission to install, in that case just approve ).

Webmin installation

download the webmin .deb package from http://webmin.com/download.html and upload it on your server, then type: dpkg -i webmin_1.xyz.deb where xyz is the current webmin version. This will look for required dependencies and will let you know if something is missing. In case anything is missing you can just install it using apt-get install command simiar to how you installed squid.

Webmin configuration

If wedmin and squid were both installed from the standard debian package then webmin should already know where squid configuration files are and be able to modify it and stop/start squid. If this is not the case then you can set the paths in the module's configuration section.

Squid Anonymous configuration

Set http_port to specify the port and ips where squid will listen for incoming connections. If you want squid to listen on any of the available ips just set it like this: http_port 3128

Some may want to remove the lines that contain Cookie and Set-Cookie headers but if you do that most sites will not work anymore cause most require cookie / session support.

Squid multiple ip configuration

We want connections that come from one ip to go out on the same ip. First set acls to identify the ips where squid listens for incoming connections. Let's say we have 3 ips : 10.0.0.1 , 10.0.1.1 and 10.0.2.1 . The acls would look like this: acl in_10_0_0_1 myip 10.0.0.1/32 acl in_10_0_1_1 myip 10.0.1.1/32 acl in_10_0_2_1 myip 10.0.2.1/32

Set up access rules based on client ip

You will have to set up acls similar to the above but they identify the client's ip ( not proxy server's ip). The the acls will be used in the http_access directive. This can be done directly from the configuration file.

Here is a sample that shows how to allow access for a client with the ip 10.0.0.10 : acl cli_10_0_0_10 src 10.0.0.0.10 http_access allow cli_10_0_0_10 Just put those two lines in squid.conf before the “http_access deny All” line.

You can also add an ACL from webmin -> Servers -> Squid Proxy Server -> Access Control ->> Edit Acl . The acl type has to be “Client address” . You just have to set a name and a “From address” ( the address you want to allow access to squid ) for it and then save it. After you set the ACL you have to go to "Add proxy restriction" , set the Action on “Allow” , select your acl from the "Match ACLs" box and click save. After the save you should be redirected on the main acls page where you should see your acl in the “Proxy restrictions” list, right at the bottom. You will have to make sure your acl goes before the “Deny all” entry or else it will have no effect. You can put it one row up by clicking the “Up” arrow.

Now you can Start/Restart squid from command line /etc/init.d/squid start/restart or from webmin -> squid proxy server You can test your squid configuration by setting any of the available ips as a HTTP proxy in your browser ( port 3128 ) and then go to http://spotip.com . That site should show you the exact ip you have set up as proxy in your browser.

The idea is that we allow everybody access to a few headers and then at the end deny access for all other headers , including headers that could reveal the identity of the client. Some people that are more paranoid would want to also deny access to cookie/set-cookie headers but this just breaks a lot of functionality as most sites use cookies these days use cookies. I also observed some sites don’t work if I don’t allow access to the User-Agent header so if you’re having troubles you might want to add a rule for it before the deny all at the end

Yes and even if you can’t rewrite User-Agent or some site is only available for some browsers, the User-Agent is not really identifying information so I think we’re safe say we’re still anonymous even if we send the real User-Agent

Hi there… first of all… great article. I do have a question though which I just can NOT seem to find a solution and I am hoping you could point me into the correct direction.

I am trying to setup a single proxy server which essentially just acts as a relay for other proxy servers. My objective is to be able to enter a single proxy server into for example my web browser and automatically have this proxy server switch at regular intervals through a list of different proxy servers (with/without authentication). How can I do this?

You can use the other proxies as the “cache peers” for the main proxy. But you would need a script that would change the configuration of the main proxy and restart/reload it at regular intervals if you want to switch/rotate the peers.